Configuring the snmpd service in the operating system
July 10, 2024
ID 222969
Interaction with KSMG over SNMP is achieved using the 'snmpd' service of the operating system. The snmpd service acts as a master agent, receiving and processing requests from monitoring systems and other external consumers over SNMP. KSMG connects to the snmpd service as a subagent over the AgentX protocol through a UNIX socket.
Creating a user account for access to the data
Before creating the account, stop the snmpd service.
To ensure the security of access to the data over SNMPv3 with authentication and encryption, you need to create a user account on the snmpd service side with the following information:
- User name (case sensitive)
- Authentication algorithm (MD5 or SHA, SHA is recommended)
- Authentication password
- Encryption algorithm (only AES supported)
- Encryption password
For security purposes, we recommend using an independent user account on each node of the KSMG cluster.
You can create an account using the net-snmp-create-v3-user utility.
To create a user account using the net-snmp-create-v3-user utility:
- Connect to the cluster node over SSH to gain access to the Technical Support Mode.
- Run the following command:
net-snmp-create-v3-user -ro -a <authentication algorithm> -x <encryption algorithm> <user name>
Authentication and encryption passwords are requested interactively.
Example:
net-snmp-create-v3-user -ro -a SHA -x AES MonitoringUser
Creating a user account for receiving SNMP traps
To receive SNMP traps over SNMPv3 with authentication and encryption, you need to create an account on the side of the monitoring system in the context of the corresponding service (usually the snmptrapd service).
The account must contain the following information:
- User name
- Authentication algorithm
- Authentication password
- Encryption algorithm
- Encryption password
For security purposes, you must use separate user accounts for access to data and for receiving SNMP traps.
We recommend creating independent user accounts for receiving SNMP traps from each node of the KSMG cluster.
For instructions on creating a user account for receiving SNMP traps, refer to the documentation of your monitoring system.
Configuring the snmpd service
The configuration of the snmpd service is stored in the /etc/snmp/snmpd.conf file. You must create a new configuration file and add to it the following lines in the given order.
To configure the snmpd service:
- Connect to the cluster node over SSH to gain access to the Technical Support Mode.
- Create a new configuration file and set access permissions for it:
mv -f /etc/snmp/snmpd.conf /etc/snmp/snmpd.conf.backup
touch /etc/snmp/snmpd.conf
chown root:root /etc/snmp/snmpd.conf
chmod 600 /etc/snmp/snmpd.conf
- Specify the protocol, network interface address, and port number on which the snmpd service must listen for incoming requests.
- If you want to listen for requests on all network interfaces, add the following lines to the configuration file:
# Listen for incoming SNMP requests via UDP
agentAddress udp:161
- If you want to listen for requests only on the local network interface, for example, if the monitoring system is installed on the same machine, add the following lines:
# Listen for incoming SNMP requests via UDP
agentAddress udp:127.0.0.1:161
- If you want to listen for requests on all network interfaces, add the following lines to the configuration file:
- Specify the path and permissions for the UNIX socket on which the snmpd service must listen for subagent connections over the AgentX protocol. To do so, add the following lines to the configuration file:
# Listen for subagent connections via UNIX socket
master agentx
agentXSocket unix:/var/run/agentx-master.socket
agentXPerms 770 770 kluser klusers
- If necessary, you can provide a system description, location of the system, and the contact address of the administrator. To do so, add the following lines to the configuration file:
# Basic system information
sysDescr <system_description>
sysLocation <system_location>
sysContact <contact_address>
sysServices 72
- Specify the scope of the OID tree that you want to be available to your monitoring system via the SNMP protocol. To have access to KSMG data, add the following lines to the configuration file:
# Kaspersky Secure Mail Gateway SNMP statistics
view monitoring included .1.3.6.1.4.1.23668.1735
- You can additionally specify the scope of the OID tree containing information about the operating system that is stored by the snmpd service. This scope will be available to your monitoring system.
Information about the operating system includes, for example, information about CPU and RAM usage, free space on disk partitions, load of network interfaces; a list of installed software; a list of open network connections; and a list of running processes. Part of this information may be confidential.
- If you want to allow access only to general system information and information about the usage of RAM, CPU, and disk devices, add the following lines to the configuration file:
# SNMPv2-MIB - Basic system information
view monitoring included .1.3.6.1.2.1.1
# HOST-RESOURCES-MIB - CPU, Memory, Filesystems
view monitoring included .1.3.6.1.2.1.25.1
view monitoring included .1.3.6.1.2.1.25.2
view monitoring included .1.3.6.1.2.1.25.3
view monitoring included .1.3.6.1.2.1.25.5
# UCD-SNMP-MIB - Memory and CPU usage
view monitoring included .1.3.6.1.4.1.2021.4
view monitoring included .1.3.6.1.4.1.2021.10
view monitoring included .1.3.6.1.4.1.2021.11
# UCD-SNMP-DISKIO-MIB - Block devices I/O statistics
view monitoring included .1.3.6.1.4.1.2021.13
# IF-MIB - Network interfaces I/O statistics
view monitoring included .1.3.6.1.2.1.2
view monitoring included .1.3.6.1.2.1.31
- If you want to allow access to all system information, add the following lines to the configuration file:
# Allow access to the whole OID tree
view monitoring included .1
- If you want to allow access only to general system information and information about the usage of RAM, CPU, and disk devices, add the following lines to the configuration file:
- Specify the access mode and scope of information for the created user account. To do so, add the following lines to the configuration file:
# Access control for SNMPv3 monitoring system user
rouser <user name> priv -V monitoring
- To send SNMP traps, specify the IP address of the monitoring system and user credentials for receiving traps. To do so, add the following lines to the configuration file:
# Send SNMPv3 traps to the monitoring system
trapsess -Ci -v3 -t0.1 -r1 -l authPriv -u <user name> -a <authentication algorithm> -A "<authentication password>" -x <encryption algorithm> -X "<encryption password>" udp:<IP address>:162
The snmpd service will be configured.
To integrate with multiple monitoring systems, create a separate user account for each system, specify the scope of available information for each user account (the 'view' and 'rouser' directives) and configure the sending of SNMP traps (the 'trapsess' directive).
Example of an snmpd service configuration file: # Listen for incoming SNMP requests via UDP agentAddress udp:161
# Listen for subagent connections via UNIX socket master agentx agentXSocket unix:/var/run/agentx-master.socket agentXPerms 770 770 kluser klusers
# Basic system information sysDescr Example Mail Gateway Server, Node 05 sysLocation Example Datacenter, Ground floor, B23-U45 sysContact Mail system administrator <admin@example.com> sysServices 72
# Kaspersky Secure Mail Gateway SNMP statistics view monitoring included .1.3.6.1.4.1.23668.1735
# SNMPv2-MIB - Basic system information view monitoring included .1.3.6.1.2.1.1 # HOST-RESOURCES-MIB - CPU, Memory, Filesystems view monitoring included .1.3.6.1.2.1.25.1 view monitoring included .1.3.6.1.2.1.25.2 view monitoring included .1.3.6.1.2.1.25.3 view monitoring included .1.3.6.1.2.1.25.5 # UCD-SNMP-MIB - Memory and CPU usage view monitoring included .1.3.6.1.4.1.2021.4 view monitoring included .1.3.6.1.4.1.2021.10 view monitoring included .1.3.6.1.4.1.2021.11 # UCD-SNMP-DISKIO-MIB - Block devices I/O statistics view monitoring included .1.3.6.1.4.1.2021.13 # IF-MIB - Network interfaces I/O statistics view monitoring included .1.3.6.1.2.1.2 view monitoring included .1.3.6.1.2.1.31
# Access control for SNMPv3 monitoring system user rouser MonitoringUser priv -V monitoring
# Send SNMPv3 traps to the monitoring system trapsess -Ci -v3 -t0.1 -r1 -l authPriv -u TrapUser -a SHA -A "TrapAuthSecret" -x AES -X "TrapPrivSecret" udp:10.16.32.64:162 |
Starting the snmpd service with the new configuration
To apply the new configuration:
- Restart the snmpd service:
systemctl restart snmpd
- Check the status of the snmpd service:
systemctl status snmpd
The status must be
running
. - Allow the service to start automatically at operating system startup:
systemctl enable snmpd
- If you are using a firewall in your operating system or network equipment, add rules to let SNMP packets through.
The snmpd service is configured.
Checking the health of the snmpd service
To test the snmpd service, configure the use of SNMP in the KSMG web interface and request SNMP data using the 'snmpwalk' utility.
To get the scopes of SNMP data provided by KSMG:
snmpwalk -v3 -l authPriv -u <user name> -a <authentication algorithm> -A "<authentication password>" -x <encryption algorithm> -X "<encryption password>" <IP address> .1.3.6.1.4.1.23668.1735
Example: snmpwalk -v3 -l authPriv -u MonitoringUser -a SHA -A "MonitoringAuthSecret" -x AES -X "MonitoringPrivSecret" 127.0.0.1 .1.3.6.1.4.1.23668.1735 |